A vulnerability has been discovered in a third party cryptographic
library which is used by a number of Cisco products. This vulnerability may be
triggered when a malformed Abstract Syntax Notation One (ASN.1) object is
parsed. Due to the nature of the vulnerability it may be possible, in some
cases, to trigger this vulnerability without a valid certificate or valid
application-layer credentials (such as a valid username or password).

Successful repeated exploitation of any of these vulnerabilities may
lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not
known to compromise either the confidentiality or integrity of the data or the
device. These vulnerabilities are not believed to allow an attacker to decrypt
any previously encrypted information.

The vulnerable cryptographic library is used in the following Cisco
products:

Cisco IOS

Cisco IOS XR

Cisco PIX and ASA Security Appliances

Cisco Firewall Service Module (FWSM)

Cisco Unified CallManager

This vulnerability is assigned CVE ID CVE-2006-3894. It is externally
coordinated and is tracked by the following external coordinators:

JPCERT/CC - tracked as JVNVU#754281

CPNI - tracked as NISCC-362917

CERT/CC - tracked as VU#754281

Cisco has made free software available to address this vulnerability
for affected customers. There are no workarounds available to mitigate the
effects of the vulnerability.

This vulnerability affects all products that use affected versions of
third party cryptographic libraries and enabled applications that are using
crypto-related function. The following Cisco products are identified to be
vulnerable:

Cisco Firewall Service Module (FWSM), only releases prior 3.1(6) are
affected, 2.3(x) release are not affected

Cisco Unified CallManager

The following text lists application layer protocols or features that
must be enabled in order for a device to be vulnerable. It is sufficient that
only one protocol or feature is enabled in order for a devices to be
vulnerable. In order to be not vulnerable, all of the listed application
protocols or features must be disabled.

Affected protocols in Cisco IOS

To determine the software running on a Cisco IOS product, log in to
the device and issue the show version command to display the system banner.
Cisco IOS software will identify itself as "Internetwork Operating System
Software" or simply "IOS." On the next line of output, the image name will be
displayed between parentheses, followed by "Version" and the Cisco IOS release
name. Other Cisco devices will not have the show version command, or will give
different output.

Only Cisco IOS images that contain the Crypto Feature Set are
vulnerable. Customers who are not running an IOS image with crypto support are
not exposed to this vulnerability.

Cisco IOS feature set naming indicates that IOS images with crypto
support have 'K8' or 'K9' in the feature designator field.

The following example shows output from a device running an IOS image
with crypto support:

If your output is like in the following example then you do not have
IKE enabled on your device.

Router#show crypto isakmp policy
ISAKMP is turned off

In Cisco IOS two features rely on ISAKMP - IPSec and Group Domain of
Interpretation (GDOI). Presence of either of these features is detected by the
previous example.

Prior to IOS version 12.3(2)T, IKE was enabled by default, with no
crypto configuration needed for the IOS device to process IKE messages.

12.2SXD versions of Cisco IOS have IKE enabled by default. To ensure
that IKE processing is disabled, enter the global configuration command
no crypto isakmp enable.

As of IOS version 12.3(2)T (which includes all 12.4-based versions),
crypto configuration is required to enable IKE message processing.

Secure Socket Layer (SSL)

In some Cisco IOS software releases the vulnerable library is used to
process elements of SSL functionalities. SSL is used to protect several
application layer protocols like Hyper Text Transfer Protocol over SSL (HTTPS).

HTTPS is not the only protocol that may use SSL but it is the most
commonly known. In order to determine if your device has HTTPS configured enter
the command show running | include secure. Below
is an example of a device that has HTTPS enabled.

router#show running | include secure-server
ip http secure-server

Threat Information Distribution Protocol (TIDP)

To determine if your device has TDIP enabled, enter the command
show running-config | include parameter-map.
Below is an example of a device that has TDIP enabled.

To determine if your device has EAP-TLS enabled, enter the command
show running-config | include method. Below is
an example of a device that has EAP-TLS enabled.

Router#show running | include method
method tls

Affected protocols in Cisco IOS XR

You are affected by this vulnerability if you are running one of the
vulnerable Cisco IOS XR software releases and have, at least one, of the
following protocols or features enabled:

Internet Security Association and Key Management Protocol
(ISAKMP)

In some IOS XR releases the Secure Socket Layer (SSL) may also be
affected

Secure Shell (SSH)

In the case of IOS XR, successful exploitation will not crash the
whole device but only the affected service. Successful repeated exploitation of
this vulnerability may lead to a sustained Denial-of-Service (DoS) of affected
services but not the whole device.

Internet Security Association and Key Management Protocol
(ISAKMP)

To determine if your device has ISAKMP enabled, enter the command
show running-config | include isakmp. Below is
an example of a device that has IKE enabled.

SSL is used to provide secure communications to the application layer
protocols like Hyper Text Transfer Protocol over SSL (HTTPS) and Object Request
Brokers (ORB). To determine if your device has any service enabled that uses
SSL, enter one of the following commands show running-config |
include http server ssl or show running-config |
include xml agent corba ssl. Below is an example of a device
that has both of the services enabled.

SSH is an application and a protocol that provides secure replacement
for the suite of Berkeley r-tools such as rsh, rlogin and rcp. It is highly
preferred over Telnet for interactive sessions. To determine if your device has
SSH enabled enter the command show running-config | include ssh
server. Below is an example of a device that has SSH enabled.

Step 2 - If you are running 4.x software then do the
following: from the Server drop-down list box, choose the publisher database
server. If you are running 5.x software then do the following: From the Server
drop-down list box, choose the first node.

In order to determine if Cisco Unified CallManager TSP is installed
open Windows Control Panel (Start > Control Panel) and
click on Add/Remove Programs. If 'Cisco Unity-CM TSP' is
listed then you have it installed on your system.

ASN.1 is defined by ITU-T (International Telecommunication Union -
Telecommunication Standardization Sector) standards and it describes, among
other things, data structures for encoding values. The vulnerability addressed
by this advisory is related to the implementation of parsing certain data
structures and is not a vulnerability in the standard itself.

Protocols that use ASN.1 (e.g., voice over IP, Simple Network
Management Protocol and others), but do not rely on the vulnerable crypto
library, are not affected. This advisory only addresses an implementation issue
in a particular crypto library from a single vendor.

Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.

Successful exploitation of the vulnerability listed in this advisory
may result in the crash of a vulnerable device. Repeated exploitation can
result in a sustained DoS attack.

In the case of IOS XR, successful exploitation will not crash the whole
device but only the affected service. Successful repeated exploitation of this
vulnerability may lead to a sustained Denial-of-Service (DoS) of affected
services but not the whole device.

When considering software upgrades, also consult
http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a complete upgrade
solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current hardware and
software configurations will continue to be supported properly by the new
release. If the information is not clear, contact the Cisco Technical
Assistance Center ("TAC") or your contracted maintenance provider for
assistance.

Each row of the Cisco IOS software table (below) describes a release
train. If a given release train is vulnerable, then the earliest possible
releases that contain the fix (the "First Fixed Release") and the anticipated
date of availability for each are listed in the "Rebuild" and "Maintenance"
columns. A device running a release in the given train that is earlier than the
release in a specific column (less than the First Fixed Release) is known to be
vulnerable. The release should be upgraded at least to the indicated release or
a later version (greater than or equal to the First Fixed Release
label).

This vulnerability is fixed in the following 7.x software releases:
7.0(6.7), 7.1(2.27), 7.2(1.22), 7.2(2). All 8.x software releases do contain
the fixed library and are not affected. No 6.x software releases are affected
by this vulnerability.

The only way to prevent a device being susceptible to the listed
vulnerabilities is to disable the affected service(s). However, if regular
maintenance and operation of the device relies on these services then there is
no workaround.

Control Plane Policing: IOS software versions that support
Control Plane Policing (CoPP) can be configured to help
protect the device from attacks that target the management and control planes.
CoPP is available in Cisco IOS release trains 12.0S, 12.2SX, 12.2S, 12.3T,
12.4, and 12.4T.

In the CoPP example below, the ACL entries that match the exploit
packets with the permit action will be discarded by the policy-map drop
function, while packets that match a deny action (not shown) are not affected
by the policy-map drop function.

!-- Include deny statements up front for any protocols/ports/IP addresses that
!-- should not be impacted by CoPP
!-- Include permit statements for the protocols/ports that will be governed by CoPP
!-- port 443 - HTTPS
access-list 100 permit tcp any any eq 443
!-- port 500 - IKE
access-list 100 permit udp any any eq 500
!-- port 848 - GDOI
access-list 100 permit tcp any any eq 848
!-- port 5060 - SIP-TLS
access-list 100 permit tcp any any eq 5060
!-- port 5354 - TIDP
access-list 100 permit tcp any any eq 5354
!-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
!-- traffic in accordance with existing security policies and
!-- configurations for traffic that is authorized to be sent
!-- to infrastructure devices.
!
!-- Create a Class-Map for traffic to be policed by
!-- the CoPP feature.
!
class-map match-all Drop-Known-Undesirable
match access-group 100
!
!-- Create a Policy-Map that will be applied to the
!-- Control-Plane of the device.
!
policy-map CoPP-Input-Policy
class Drop-Known-Undesirable
drop
!-- Apply the Policy-Map to the Control-Plane of the
!-- device.
!
control-plane
service-policy input CoPP-Input-Policy

Please note that in the 12.0S, 12.2S, and 12.2SX Cisco IOS trains, the
policy-map syntax is different:

NOTE: In the above CoPP example, the ACL entries with the
"permit" action that match the exploit packets result in the
discarding of those packets by the policy-map drop function, while packets that
match the "deny" action are not affected by the policy-map drop
function.

Access control lists can be used to help mitigate attacks that may try
to exploit these vulnerabilities. This is done in a way that only packets from
the legitimate sources are allowed to reach the device and all others are
dropped.

Cisco has released software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

Customers with contracts should obtain software through their regular update channels. For most customers, software patches and bug fixes should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com.

Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed.

Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain software patches and bug fixes by contacting the Cisco Technical Assistance Center (TAC). TAC
contacts are as follows.

+1 800 553 2447 (toll free from within North America)

+1 408 526 7209 (toll call from anywhere in the world)

e-mail: tac@cisco.com

Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a software patch or bug fix. Customers without service contracts should request a software patch or bug fix through the TAC.

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.

In addition to worldwide web posting, a text version of
this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

cust-security-announce@cisco.com

first-teams@first.org

bugtraq@securityfocus.com

vulnwatch@vulnwatch.org

cisco@spot.colorado.edu

cisco-nsp@puck.nether.net

full-disclosure@lists.grok.org.uk

comp.dcom.sys.cisco@newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.